You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

This one is way above my pay grade, which in computer terms is not very high, but I have never been hit this bad. I am new to this site so I'm not sure what information is needed for your help. I went through the malware removal tutorial, and the preparation guide for use before using malware removal tools to no avail. Details of what I have tried are:
1) How to remove a Trojan, virus, worm, tutorial: I followed instructions to boot up in safe mode using F8, Windows Search, and the run button in the start menu. The system configuration utility box would appear for a second, then dissappear followed by a security message "msconfig.exe is infected by W32/ Blaster.worm".
2) I read the preparation guide, like I said above, to try to back up what files I could and got the same warning message.
3) Tried to change settings to view hidden files, and got the same message.
4) I attempted to run anti-virus software such as AVG, McAfee, Spybot- Search and Destroy, and none would start.
I unplugged the internet connection from the modem when the problem arose because a message from McAfee stated I had an intrusion, and files were being leaked from an unknown origin. Every few minutes a security protection screen pops up saying potentially dangerous files were found, and that I should activate that program. Don't worry, I'm not quite that stupid, I did not activate or even think about doing so.
Like I said, all of my files and systems are inoperable to me. Please let me know what you need, and I will be grateful to have any assistance.

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!

Please Do not Attach logs or put in code boxes.

Tell me about any problems that have occurred during the fix.

Tell me of any other symptoms you may be having as these can help also.

Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Hey Gringo,
I just wanted to be sure of your instructions because you said to download the 3 programs to my desktop. I am using a wireless laptop right now. I unplugged the ethernet to the problem pc. I did download those programs to a flash drive just in case, but do I need to connect the ethernet and log onto BC with the infected computer?

Ok, I downloaded Defogger from the flash drive, and tried to run it. A program window appeared then closed, and a security warning came up from the bottom toolbar and said: File Defogger is infected by W32/ Blaster.worm. I got the same when I tried the other two. Also, when I insert the flash drive the security message I get is: mobsync.exe is infected by W32/ Blaster.worm, and wmplayer.exe is infected by W32/ Blaster.worm.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console(Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

Log from Combofix

let me know of any problems you may have had

How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Bad news Gringo. I downloaded ComboFix using a flashdrive, and ran it as directed. It scanned for a few seconds, and then was shut down. I tried to re-run it two more times with the same results as before, with the Defogger and RKUnhookerLE.

After you have them on your desktop restart your computer and as soon as you can start with RKill

:Rkill:

Double click on Rkill.

A command window will open then disappear upon completion, this is normal.

Please leave Rkill on the Desktop until otherwise advised.

Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

Once the tool has run, do NOT reboot the machine,If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Let me have these logs and let me know how the computer is doing

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Good morning,
I tried running rkill probably 30 times and could not get it to start. A window didn't even appear, as it did with ComboFix and Defogger, but I did still get the same warning message about Blaster.worm. I also tried running exeHelper, which did start to run, but got shot down. I'm not sure if it is relevant or not, but when I restart the computer a windows activation screen comes up. My options are to click on activate, which sends me to an activation screen where I can put in my product key. Other option is an activate later button that is on a timer. If I don't click on "activate now" after about 15 seconds, activate later becomes available. I have never had a problem this bad, so I'm ignorant to the severity, but on a scale 1-10 (10=bad) where are we. It is quite possible that I am not running these files correctly from the flash drive. I'm scared to hook this thing back up to the internet. If you think it would be more effective than that is what I will do.

This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.

When the installation begins, follow the prompts and do not make any changes to default settings.

When installation has finished, make sure you leave both of these checked:

Update Malwarebytes' Anti-Malware

Launch Malwarebytes' Anti-Malware

Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.

If you encounter any problems while downloading the definition updates, manually download them fromhereand just double-click on mbam-rules.exe to install.

On the Scanner tab:

Make sure the "Perform Quick Scan" option is selected.

Then click on the Scan button.

If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.

Make sure that everything is checked, and click Remove Selected.

When removal is completed, a log report will open in Notepad.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Reboot into Safe Mode with Networking How to enter safe mode(XP/Vista)Using the F8 MethodRestart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode with Networking using the arrow keys. Then press enter on your keyboard to boot into Safe Mode.

Double-click SUPERAntiSpyware.exe and use the default settings for installation.

An icon will be created on your desktop. Double-click that icon to launch the program.

If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)

In the Main Menu, click the Preferences... button.

Click the Scanning Control tab.

Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.

Scan for tracking cookies.

Terminate memory threats before quarantining.

Click the "Close" button to leave the control center screen.

Back on the main screen, under "Scan for Harmful Software" click Scan your computer.

On the left, make sure you check C:\Fixed Drive.

On the right, under "Complete Scan", choose Perform Complete Scan.

Click "Next" to start the scan. Please be patient while it scans your computer.

After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".

Make sure everything has a checkmark next to it and click "Next".

A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.

If asked if you want to reboot, click "Yes".

To retrieve the removal information after reboot, launch SUPERAntispyware again.

Click Preferences, then click the Statistics/Logs tab.

Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.

Please copy and paste the Scan Log results in your next reply.

Click Close to exit the program.

If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

I attempted to run the FixNCR.reg as you said, and I got the same results as before. I then restarted the computer and tried again. The program started up, but was quickly closed like the others. The only difference this time is after I ran the program and restarted, a message from Windows came up. It was just barely visible over the taskbar. It read: "Spooler SubSystem App stopped working and was closed". This time I used a different flash drive to download and run the programs. I am getting error messages when I scan, the one I have been using, from a clean computer I'm downloading from.

Hey gringo,
I already tried booting into safe mode before I posted anything in the forum. When I restart/boot up the computer, I get sent straight to a Windows activation prompt. I tried inputing the activation key, and I'm told that it is invalid. Pressing F8 prior to that screen does nothing. If I use F8 while the screen is up sends me to the windows user account log on. I click on my account, which is the only one, and get sent back to the windows activation screen. The malware stops the command prompt from running, and "msconfig" gets shut down no matter how I try to run it. I have tried the only 5 ways that I am aware of. I'm running Windows Vista Home Basic.